njrat | bd5fa7ccde2dbc145685b36d66c3c6161e7e780308bd6ec29666139908e7db26

General

Target

6a5f6fba52919a8f6f8e371284c3458b.exe
Size

104KB
MD5

6a5f6fba52919a8f6f8e371284c3458b
SHA1

669cba3048a250fdb53c4a708ae7b92006072942
SHA256

bd5fa7ccde2dbc145685b36d66c3c6161e7e780308bd6ec29666139908e7db26
SHA512

5bb20db97e23e93a1c4a6e54bc0b13973012e04d71f4b3efd3e5e1ba691fb0d86a6fbd758446ceab7827be9cb790998d432ed4150d6ddbfdf17b7f8314386e13

Score

10^/10

njrat nyan cat persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

paomarca.duckdns.org:2054

Mutex

fede6f9724

Attributes

reg_key
fede6f9724
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/628-62-0x0000000000670000-0x000000000068D000-memory.dmp	Core1

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6a5f6fba52919a8f6f8e371284c3458b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\file.exe = "C:\\Users\\Admin\\AppData\\Local\\file.exe"	6a5f6fba52919a8f6f8e371284c3458b.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

6a5f6fba52919a8f6f8e371284c3458b.exe

description	pid	process
Token: SeDebugPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: 33	628	6a5f6fba52919a8f6f8e371284c3458b.exe
Token: SeIncBasePriorityPrivilege	628	6a5f6fba52919a8f6f8e371284c3458b.exe

C:\Users\Admin\AppData\Local\Temp\6a5f6fba52919a8f6f8e371284c3458b.exe
"C:\Users\Admin\AppData\Local\Temp\6a5f6fba52919a8f6f8e371284c3458b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/628-59-0x000000013FD80000-0x000000013FD81000-memory.dmp

Filesize
4KB

Download
memory/628-61-0x0000000000640000-0x0000000000667000-memory.dmp

Filesize
156KB

Download
memory/628-62-0x0000000000670000-0x000000000068D000-memory.dmp

Filesize
116KB

Download
memory/628-63-0x00000000022B0000-0x00000000022B2000-memory.dmp

Filesize
8KB

Download
memory/628-64-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads